Notice

This article is intended for support and for IT professionals. If you are not comfortable with advanced information, you might want to ask someone for help or contact support. For information about how to contact support, visit the following Microsoft Web site:

Summary

This article describes how and where Internet Explorer security zones and privacy settings are stored and managed in the registry. You can use Group Policy or the Microsoft Internet Explorer Administration Kit (IEAK) to set security zones and privacy settings. If you are using Group Policy or IEAK on a Microsoft Windows 2000-based computer, you may have to install several hotfixes to set security zones and privacy settings.For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Resolution

Privacy in Internet Explorer 6

Internet Explorer 6 added a Privacy tab to give users more control over cookies. There are different levels of privacy on the Internet zone, and they are stored in the registry at the same location as the security zones.

You can also add a Web site to enable or to block cookies based on the Web site, regardless of the privacy policy on the Web site. Those registry keys are stored in the following registry subkey:

registry subtree. Because this subtree is dynamically loaded for each user, the settings for one user do not affect the settings for another.

If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only DWORD value is present and has a value of 1 in the following registry subkey, only local computer settings are used and all users have the same security settings:

With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer. However, the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer. In Internet Explorer 7, the Security tab of the Internet Options dialog box displays the following message to indicate that settings are managed by the system administrator:

Some settings are managed by your system administrator

If the Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the Security_HKLM_only DWORD value does not exist or is set to 0, computer settings are used together with user settings. However, only user settings appear in the Internet Options. For example, when this DWORD value does not exist or is set to 0,

HKEY_LOCAL_MACHINE

settings are read together with

HKEY_CURRENT_USER

settings, but only

HKEY_CURRENT_USER

settings appear in the Internet Options.

TemplatePolicies

The

TemplatePolicies

key determines the settings of the default security zone levels. These levels are Low, Medium Low, Medium, and High. You can change the security level settings from the default settings. However, you cannot add more security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text that appears on the Security tab for each security level.

ZoneMap

The

ZoneMap

key contains the following keys:

Domains

EscDomains

ProtocolDefaults

Ranges

The Domains key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the

Domains

key. Subdomains appear as keys under the domain where they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numeric value of the security zone where the domain is added.

The

EscDomains

key resembles the

Domains

key except that the

EscDomains

key applies to those protocols that are affected by the Enhanced Security Configuration (ESC). ESC is introduced in Microsoft Windows Server 2003.

The ProtocolDefaults key specifies the default security zone that is used for a particular protocol (ftp, http, https). To change the default setting, you can either add a protocol to a security zone by clicking Add Sites on the Security tab, or you can add a DWORD value under the

Domains

key. The name of the DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).

The

ProtocolDefaults

key also contains DWORD values that specify the default security zones where a protocol is used. You cannot use the controls on the Security tab to change these values. This setting is used when a particular Web site does not fall in a security zone.

The

Ranges

key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a :Range string value that contains the specified TCP/IP range. For each protocol, a DWORD value is added that contains the numeric value of the security zone for the specified IP range.

When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:

If the URL contains a fully qualified domain name (FQDN), the

Domains

key is processed.

In this method, an exact site match overrides a random match.

If the URL contains an IP address, the

Ranges

key is processed. The IP address of the URL is compared to the :Range value that is contained in the arbitrarily named keys under the Ranges key.

Note Because arbitrarily named keys are processed in the order that they were added to the registry, this method may find a random match before it finds a match. If this method does find a random match first, the URL may be executed in a different security zone than the zone where it is typically assigned. This behavior is by design.

Zones

Note By default, starting with Windows XP SP2, the Local Machine Zone is locked down to help improve security. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

922704 Information about some new Group Policy settings for Internet Explorer Security Zones in Microsoft Windows XP Service Pack 2 and in Microsoft Windows Server 2003 Service Pack 1

In this registry subkey, <ZoneNumber> is a zone such as 0 (zero). The 1200 registry entry and the 2000 registry entry each contain a setting that is named Administrator approved. When this setting is enabled, the value for the particular registry entry is set to 00010000. When the Administrator approved setting is enabled, Windows examines the following registry subkey to locate a list of approved controls:

Based on the settings in the slider, it will also modify the values in {A8A88C49-5EB2-4990-A1A2-0876022C854F}, {AEBA21Fa-782A-4A90-978D-B72164C80120}, or both. Software channel permissions (1E05) has 3 different values; high, low, and medium safety. The values for these are as follows:

high: 00010000 medium: 00020000 low: 00030000

The Java Permissions setting (1C00) has the following five possible values (binary):

If Custom is selected, it uses {7839DA25-F5FE-11D0-883B-0080C726DCBB} (that is located in the same registry location) to store the custom information in a binary.

Each security zone contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you click a zone in the Zone box. There is also an Icon string value that sets the icon that appears for each zone. Except for the My Computer zone, each zone contains a CurrentLevel, MinLevel, and RecommendedLevel DWORD value. The MinLevel value sets the lowest setting that can be used before you receive a warning message, CurrentLevel is the current setting for the zone, and RecommendedLevel is the recommended level for the zone.

What values for Minlevel, RecommendedLevel, and CurrentLevel mean the following:

The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):

subtrees, the settings are additive. If you add Web sites to both subtrees, only those Web sites in the

HKEY_CURRENT_USER

are visible. The Web sites in the

HKEY_LOCAL_MACHINE

subtree are still enforced according to their settings. However, they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for each protocol.

References

For more information about changes to functionality in Microsoft Windows XP Service Pack 2 (SP2), visit the following Microsoft Web site: